Never seen a miscalibrated CRT touchscreen before? You know, where the cursor is offset from the touchpoint by a constant distance? I mean, it's certainly possible that it's legitimate manipulation, but the fact that he didn't poke Stein to see if it selected Obama, etc. I've got a hard time putting any stock in it.

Besides, if you could mess with the machine on that level, why SHOW the voter you're tampering with their vote?

Never seen a miscalibrated CRT touchscreen before? You know, where the cursor is offset from the touchpoint by a constant distance? I mean, it's certainly possible that it's legitimate manipulation, but the fact that he didn't poke Stein to see if it selected Obama, etc. I've got a hard time putting any stock in it.

Besides, if you could mess with the machine on that level, why SHOW the voter you're tampering with their vote?

" Being a software developer, I immediately went into troubleshoot mode. I first thought the calibration was off and tried selecting Jill Stein to actually highlight Obama. Nope. Jill Stein was selected just fine. Next I deselected her and started at the top of Romney's name and started tapping very closely together to find the 'active areas'. From the top of Romney's button down to the bottom of the black checkbox beside Obama's name was all active for Romney. From the bottom of that same checkbox to the bottom of the Obama button (basically a small white sliver) is what let me choose Obama. Stein's button was fine. All other buttons worked fine"

" Being a software developer, I immediately went into troubleshoot mode. I first thought the calibration was off and tried selecting Jill Stein to actually highlight Obama. Nope. Jill Stein was selected just fine. Next I deselected her and started at the top of Romney's name and started tapping very closely together to find the 'active areas'. From the top of Romney's button down to the bottom of the black checkbox beside Obama's name was all active for Romney. From the bottom of that same checkbox to the bottom of the Obama button (basically a small white sliver) is what let me choose Obama. Stein's button was fine. All other buttons worked fine"

You don't find it odd at all those rather important details are entirely omitted from the video? Like I said, it's entirely possible that what he's saying is true; doesn't change the fact that the video is useless. Whenever you see a story that provides evidence that backs up only a small section of itself, despite the opportunity to back up its entirety, it's prudent to be skeptical. That's all.

"You're missing the point. This guy is intercepting signals between keyboard and CPU, not over some network or between multiple devices. It's all happening inside a closed ecosystem that he has full control over."

I beg to differ. He's not keylogging or input logging, he's analysing the results the "smarts of the machine"(FTA) are transmitting after the initial selection has been made, which encryption would solve excellently, this is who bank ATMs protect PIN entery from snooping in exactly this fashion.

I'm also saying these arguments are i largely irrelevant, because a combination of bog standard hardware and process would render his attacks, and any physical attack meaningless because the interference would be detected and remedied.

"...That's not at all what the article you linked to, or anything in your post, is about."

the article I linked to was to prove that commercial, OTS hardware solutions for encryption were a well known thing more than a decade ago. My larger point, which you also seem to have missed, is that you cannot make something unfarkable. You can make it increasingly difficult to fark, and you can minimize the effects of a breach, and these are very, very well known , baseline concepts in security.

'm not going to architect a security strategy for electronic voting on fark because I get paid good money to do things like that, but I will say that there are any number of ways that these machines should be secured, and aren't, that would completely negate this attack or minimize its importance, and there is absolutely nothing novel about any of them. they are standard practice for large parts of the technology sector, which is why I brought up ATMs, which include, by design, many of those solutions including encryption, and are built by the same manufacturers of voting machines.

So yes, you can absolutely harden against this guy's attack and all the other MITM attacks that have been discussed with ease. It was a design decision, not a technological one, to make these machines so shiatty.

unchellmatt:willfullyobscure: This is incorrect. hardware encryption is not a new thing. it is an old thing. there are almost too many choices, and better ones every day.

Presumably, someone has to have the key to decrypt the data on the machines. IF someone had access to the machines, and the key, it wouldn't be exactly a difficult task. Currently machines aren't watched, at least not sufficiently. It's been documented, from lax checks and balances with regards to who can do what, to Diebold machines being laughably easy to crack, that just such things could take place.

I'm not saying they do, however if it's possible, it should be assumed that someone will, eventually.

yes yes yes, and today unbreakable 2048-bit RSA is tomorrows plaything and nothing is ever truely secure, and we're all going to die, etc etc etc. Security is about minizing the effects of a breach and moving the goalposts, which is the real problem here. these people introduce advanced technology and have no idea how to control it even though the rest of the tech world does.

willfullyobscure:So yes, you can absolutely harden against this guy's attack and all the other MITM attacks that have been discussed with ease. It was a design decision, not a technological one, to make these machines so shiatty.

Not going to argue with that, but what keeps someone with physical access to just inserting themselves into the layer between the input controller and the actual input device and just spoofing the user to do whatever they want while providing false feedback? No matter how much you encrypt communications, there's always going to be hole there, especially with a push-button UI. With physical access, there's always going to be an exploit, but does that exploit pose any greater risk than physical access to a paper ballot would have?

IMHO, good intrusion logging is the place to start. If you can reliably say, "this device was deployed or opened before the voting period," it's an improvement. Then again, I guess the flip side of that is all you'd have to do to vote tamper is trip the intrusion detection in a district that was mostly your opposition.

ProfessorOhki:willfullyobscure: So yes, you can absolutely harden against this guy's attack and all the other MITM attacks that have been discussed with ease. It was a design decision, not a technological one, to make these machines so shiatty.

Not going to argue with that, but what keeps someone with physical access to just inserting themselves into the layer between the input controller and the actual input device and just spoofing the user to do whatever they want while providing false feedback? No matter how much you encrypt communications, there's always going to be hole there, especially with a push-button UI. With physical access, there's always going to be an exploit, but does that exploit pose any greater risk than physical access to a paper ballot would have?

IMHO, good intrusion logging is the place to start. If you can reliably say, "this device was deployed or opened before the voting period," it's an improvement. Then again, I guess the flip side of that is all you'd have to do to vote tamper is trip the intrusion detection in a district that was mostly your opposition.

logging is absolutely part of the answer, but encryption solves the input puzzle too. all the attacker can see via this method is a) what the user selection, which is likey a number ("button 1", "button 2") and b) what the machine farts back at the user ("you selected Bronco Bama, are you sure"). knowing A is useless without knowing B) as well. Encrypting the data that the machine sends out means that B becomes unknown, and there for figuring out A becomes much, much trickler, and requires lots of data collection and statistical analysis and crypto games and shiat.

Even if you know that Button1==Obama, it still doesn't help you becuase you don't know what he machine returns and what it does with the data. You can feed it lots of Button1==Obama inputs you don't know what it wants next or if they were recorded correctly, see what I mean?

Intrusion detection should be standard, too- open the chassis and the machine goes D-E-D dead until it gets reset by the operator with a special one-time token from the manufacturer, make it do a hardware check on boot(you can make these nearly impossible to beat), hell run it in a sandbox and require it to authenticate with a certified controller, log BIOS alterations etc. All of these are standard options when considered hardened IT gear, In fact, I'm wiliing to bet that they are standard options on the very gear that Diebld builds these boxes out of, and they chose not to turn it on to save time/money.

Now add relevant software logging on these and detecting fraud/tampering becomes trivial. Other problems with transferring the data and so on I haven't covered but they are just as important. but EASY. the point is that these are security 101 practices, they're not even best practices, they're standard practices.

willfullyobscure:logging is absolutely part of the answer, but encryption solves the input puzzle too. all the attacker can see via this method is a) what the user selection, which is likey a number ("button 1", "button 2") and b) what the machine farts back at the user ("you selected Bronco Bama, are you sure"). knowing A is useless without knowing B) as well. Encrypting the data that the machine sends out means that B becomes unknown, and there for figuring out A becomes much, much trickler, and requires lots of data collection and statistical analysis and crypto games and shiat.

Even if you know that Button1==Obama, it still doesn't help you becuase you don't know what he machine returns and what it does with the data. You can feed it lots of Button1==Obama inputs you don't know what it wants next or if they were recorded correctly, see what I mean?

That's more true with something like a touchscreen though. The thing in the picture, the best I can tell, is one of these: Link Which sucks for a whole host of reasons and has been hacked many times before apparently. But if it doesn't have a paper trail or any other sort of output, which it at least doesn't seem to...

Alright, if it's a touch screen where you can go back and forth and edit choices, that's a different can of worms I suppose. But the one in the video for example, it's laid out like a paper ballot. It has a row of button and indicator LEDs for each field. No amount of encryption can keep someone from sitting on those buttons and LEDs, turning 25% of button 2's into button 1's, and still lighting up led 2. I don't have audio right now, but that sort of looks like what they did in this case. You can encrypt every signal within the system, but swapping the lines always seems like a easy attack vector. It really seems like the push-button/LED UI leads itself to a lot of easy opportunities for exploitation.

I'm sure you could do something elaborate like putting controllers inside the switches and signing them, but then someone could still swap the physical buttons to swap the percentages for two candidates.

willfullyobscure:"You're missing the point. This guy is intercepting signals between keyboard and CPU, not over some network or between multiple devices. It's all happening inside a closed ecosystem that he has full control over."

I beg to differ. He's not keylogging or input logging, he's analysing the results the "smarts of the machine"(FTA) are transmitting after the initial selection has been made

Well, he pretty clearly says that he "listened to the communication going on between the smarts of the machine and the voter", so I'm not sure what transmissions you're referring to, other than the user "transmitting" his key presses and the monitor "transmitting" a UI. I can't think of any other communication going on between the user and the machine.

I agree on you with the "nothing is unfarkable" point, but my point here is that encryption provides little to no barrier against the attack the guy's describing, so it's a moot point to argue for it. There's always an unencrypted input for him to intercept, and he still needs to do most of his work at presenting a fake UI to the user.I guess some kind of handshaking going on between the computer and the monitor would help because then he'd have to bring his own monitor to replace it, and still have the old one connected. But the machines they use around here look like you could fit a lot inside their boxes.

Seems like all that custom hardware is going to add a lot of costs too, when just keeping the machines locked up would suffice.

China White Tea:machoprogrammer: Wait, if you can get physical access to a computer, you can put microprocessors in it to change the vote?

Good thing you couldn't mess with vote totals by getting access to paper ballot boxes!!

Seriously, this article is retarded. It is the equivalent of getting access to the paper ballot boxes and pumping it full of fake ballots.

I guess that would be relevant if this were fundamentally about paper ballots Vs. e-voting, but it's not really about that. The actual issue here is that this implementation of e-voting is pathetically insecure, and that this should be corrected.

Don't let that stop you from derping about some irrelevant tangential issue, though.

How the fark are you going to put a microprocessor in the voting machine without having access to it?

Jim_Callahan:Yes, indeed, if you do the electronic equivalent of setting your box of ballots down by a dude with a custom ballot-printing press, without bothering to lock it, then go get coffee and don't bother keeping a list of the number of people that voted or looking for suspicious patterns in the ballots, then it's possible that someone might mess with them.

Who farking knew.

//Most hypothetical situations where a vote could be compromised by someone with access could be compromised to an even greater degree, much less traceably, for paper ballots by someone with equivalent access. Good to see that everyone's booting up their "the other guy stole the election" excuses in advance this year, though.

Not really. There are several checks on the paper ballots at my polling station. You go up to the little old ladies who work the registration booth. They give you a number, you take that number to the ballot dude who then records it and gives you a ballot. Thus if the numbers that the little old ladies give out, the numbers that the ballot dude obtains, and the number of ballots recorded in the automated ballot reader, don't match, you can be pretty sure something is up. So rather than just one step to break, there are 3.

The_Homeless_Guy:Jim_Callahan: Yes, indeed, if you do the electronic equivalent of setting your box of ballots down by a dude with a custom ballot-printing press, without bothering to lock it, then go get coffee and don't bother keeping a list of the number of people that voted or looking for suspicious patterns in the ballots, then it's possible that someone might mess with them.

Who farking knew.

//Most hypothetical situations where a vote could be compromised by someone with access could be compromised to an even greater degree, much less traceably, for paper ballots by someone with equivalent access. Good to see that everyone's booting up their "the other guy stole the election" excuses in advance this year, though.

Not really. There are several checks on the paper ballots at my polling station. You go up to the little old ladies who work the registration booth. They give you a number, you take that number to the ballot dude who then records it and gives you a ballot. Thus if the numbers that the little old ladies give out, the numbers that the ballot dude obtains, and the number of ballots recorded in the automated ballot reader, don't match, you can be pretty sure something is up. So rather than just one step to break, there are 3.

So, that stops a ballot stuffing hack, but this guy is talking about changing your vote, not new ones (a lot of those same controls exist for the electronic machines here). Consider the following situation that could come up with your paper ballots:Let's say your ballots are an optical scanner, like the answer sheets you filled out for the SAT. Since every voter needs to have one ballot, a big stack gets deployed to each polling place before the election. It then sits in the basement mostly unguarded. The polling workers figure it's not a big deal, since all the checks you mentioned to prevent ballot stuffing are in place.The ballots consist of several multiple choice questions, one of which is "who should be President?", with the answer options being: A: "Obama, Barack", B: "Romney, Mitt", C: "PAUL, RON"Obama wants to beat Romney, so he prints up some fake ballots that say: A: "Obama, Barack", B: "PAUL, RON", C: "Romney, Mitt", and sends his operatives to various church basements in conservative-leaning areas.The results? Voters might do a double take as to why RON PAUL is between the two other candidates, but they dismiss it thinking that the ballot is just sorted it alphabetical order by last name, so they proudly pick C and cast their vote for whatever chaos a Romney presidency will entail.Now, the ballots in a statistically-significant number of polling locations have been replaced with Obama's decoys, but the scanners still assume they're being fed the originally configured ballots. So, all those Romney supporters look like RON PAUL supporters and vice versa. Obama wins and Republicans blame RON PAUL for siphoning their votes.

Now, you might be saying that the above attack could easily be thwarted when a poll worker notices that the paper ballot and the machine's configuration don't match each other, but that's entirely the point. The "hack" mentioned in TFA would be just as easily identified if somebody looked at a voting machine and said, "hey WTF is this extra hardware in here for?"And of course both could be prevented by just adding a little bit more pysical security to the hardware involved.